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(54) Efficient block cipher method 

(57) The present invention provides an encryption 
or cipher method that uses the same pseudorandom 
function twice rather than different pseudorandom func- 
tions. Additionally, the present invention uses hashing 
functions that are highly efficient. The hashing functions 
of the present invention are square hashing functions 
that square a sum of a key and a data string rather than 
using a multiplication. As a result the hashing operation 
only requires w 2 * w operations rather than the w 2 oper- 
ations required by the inefficient hashing functions used 
in the prior art.. Additionally, the present invention re- 
places the exclusive ORed operations of the prior art 
with modular "n" summing operations. 
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Description 

Background of the invention 
Field of the Invention 

[0001] The present invention relates to data manipu- 
lation; more particularly, data ciphering or encryption. 

Description of the Related Art 

[0002] Block data encryption or ciphering involves in- 
putting a block or string of data and producing a corre- 
sponding encrypted or ciphered block or string of data. 
Block encryption on ciphering is used to provide data 
security when using easily interceptable communication 
such as cellular communications. 
[0003] In the past the Luby-Rackoff method was used 
to encrypt blocks of data. This method is illustrated in 
FIG. 1 . In step 100 a block of data to be encrypted con- 
taining "2^ bits is inputted. In step 102 the "2n" block 
or string of input data is split into 2 blocks of "n" bits each 
labeled Lq and R 0 . In step 1 04 the Rq block of data is 
used as an operand and pseudorandom function f v 
Pseudorandom function t, may be a function such as 
the RIPE-MD pseudorandom function, the GGM pseu- 
dorandom function, or the MD5 pseudorandom function. 
The output from step 1 04 is exclusive ORed, with the 
string of bits from step 102. The output of step 106 is 
passed to step 1 08 where the output of step 1 06 is used 
as R-, having "n" bits and is set equal to R 0 which also 
has "n" bits. In step 110, is used as an operand of a 
second pseudorandom function f 2 . Pseudorandom 
function f 2 is different than pseudorandom function f v 
The result produced by step 11 0 is exclusive ORed with 
L-, in step 1 1 2. In step 1 1 4 the output of step 1 1 2 is stored 
as the "n" bit string R 2 and the string Lg is set equal to 
the "n" bit string R 1 . In step 1 1 6 string R 2 is used as an 
operand of pseudorandom function f 3 . Pseudorandom 
function f 3 is different than pseudorandom functions f, 
and f 2 . In step 11 8 the output of pseudorandom function 
f 3 is exclusive ORed with the value Lg. In step 120 the 
output of step 118 is stored as "n" bit string R 3 and the 
string L 3 is set equal to the M n" bit string R^ In step 122 
pseudorandom function f 4 uses string R 3 as an operand 
to produce an output used by step 124. Pseudorandom 
function f 4 is different than pseudorandom functions f, 
through f 3 . In step 124 the output of pseudorandom 
function f 4 is exclusive ORed with the string Lg. In step 
126 the output from step 124 is stored as "n" bit string 
R 4 and the string L 4 is set equal to the "n" bit string R 3 . 
In step 128 the strings L 4 and R 4 are outputted as the 
u 2n" output of the encryption method illustrated in the 
figure. 

[0004] The method illustrated in FIG. 1 uses four dif- 
ferent pseudorandom functions and as a result is a com- 
putational intensive method. 

[0005] FIG. 2 illustrates a second prior art method for 



encrypting blocks or strings of data. This method is 
known as the Naor-Reingold encryption method. In step 
140 a "2n" block of data to be encrypted is inputted. In 
step 142 the "2n* bits of data is used an operand of a 
5 hash function such as the hash function of Equation (1 ) 
to produce w 2n" bit out. 

h(m) = (ma + 6)mod n (1) 

10 

[0006] In step 1 44 the n 2n° bits produced by step 1 42 
are broken into blocks Lq and R 0 , each consisting of D n M 
bits. In step 146 pseudorandom function f, uses data 
block R 0 as an operand to produce an output used by 

15 step 1 48. Pseudorandom function t A may be, for exam- 
ple, one of the pseudorandom functions discussed with 
regard to FIG. 1 . In step 148 the output from step 146 
is exclusive ORed with data block or string Lq. The out- 
put of step 148 is stored as "n M bit string R 1 in step 150 

20 and "n" string L 1 is set equal to "n" bit string Rq. In step 
152 pseudorandom function f 2 uses data string R-, as 
an operand to produce an output for step 1 54. Pseudor- 
andom function f 2 is a different pseudorandom function 
than f v In step 154 the output of step 152 is exclusive 

25 ORed modular "n", with data string L v In step 156 the 
output of step 1 54 is stored as u n" bit string R2 and string 
L 2 is set equal to "n u bit string R 1 . In step 1 58 a second 
hash function uses the "2n" both from "n n bit string 
and "n" bit string R 2 as an operand to produce a "2n" 

30 bits output which is outputted in step 1 60. 

[0007] The prior art encryption method illustrated by 
FIG. 4 is also computationally intensive. It uses two dif- 
ferent pseudorandom functions and two inefficient hash 
functions. A hash function, such as the has function of 

35 Equation (1), involves a multiplication of a key ("A") 
times the data string. Such a multiplication is computa- 
tionally intensive and involves w 2 operations where "W" 
is the number of words in the data string. If, for example, 
the data block is 160 bits long, and the processor exe- 

40 cuting the method uses 32 bit words, there are 5 words 
composing the string and as a result 5 s or 25 operations 
are required to perform the multiplication. 

Summary of the Invention 

45 

[0008] The present invention solves the aforemen- 
tioned inefficiencies by providing an encryption or cipher 
method that uses the same pseudorandom function 
twice rather than different pseudorandom functions. Ad- 

50 ditionally, the present invention uses hashing functions 
that are highly efficient. The hashing functions of the 
present invention are square hashing functions that 
square a sum of a key and a data string rather than using 
a multiplication. As a result the hashing operation only 

55 requires w 2 * w operations rather than the w 2 operations 
required by^he inefficient hashing functions used in the 
prior art. Additionally, the present invention replaces the 
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exclusive ORed operations of the prior art with modular 
"n" summing operations. 

Brief Description of the Drawings 

[0009] 

FIG. 1 illustrates the Luby-Rackoff prior art encryp- 
tion method; 

FIG. 2 illustrates the Naor-Reingold prior art encryp- 
tion method; 

FIG. 3 illustrates an efficient encryption method us- 
ing square hashing functions; 
FIG. 4 illustrates an efficient decryption method us- 
ing square hashing functions; 
FIG. 5 illustrates an overview of the method used 
to develop keys K-, through K 4 ; 
FIG. 6 illustrates how the operands for the SHA 
function are selected to produce S t ; 
FIG. 7 illustrates how the operands for the SHA 
function are selected to produce S2 through S t1 ; 
and 

FIG. 8 illustrates how the least significant bits of 
strings X 1 through X ni are used to provide the 832 
bits used as keys Kj through K 4 . 

Detaiied Description of the Invention 

[0010] FIG. 3 illustrates an efficient encryption meth- 
od using square hashing functions and one type of pseu- 
dorandom function. In step 200 a block or string of data 
is inputted for encryption. In step 202 t the "2n" bit string 
is broken into strings "L" and °R", each consisting of "n" 
bits. In step 204, a square hashing function, such as the 
square hashing function of Equation (2) is used. 

h{m) = {m+af mod n (2) 

[0011] The hashing function uses key and data 
block "R" as an operand to produce an "n" bit output. 
The "n" bit output from step 204 is summed, modular 
"n", with the "L" block of data in step 206. In step 208, 
the output from step 206 is stored as "n" bit string "S" 
and string "R" is once again stored as a "n" bit string 
block -R°. In step 21 0, the "n" bit block "S" is used as an 
operand by pseudorandom function "f with key Kg to 
produce an "n" bit output to be used in step 212. The 
pseudorandom function "f may be one of the pseudor- 
andom functions discussed with regard to FIGS. 1 and 
2, but preferably it is the SHA pseudorandom function 
that is a well-known standard and described in the at- 
tached Appendix entitled "SECURE HASH STAND- 
ARD". In step 212 the output from step 210 is summed 
modular "n", with data string "R" to produce an "n" bit 
output. In step 214, the "n" bit output from step 212 is 
stored as "n" bit string T" and the "n" bit string from step 



208 is stored again as "n" bits block "S". In step 216, the 
same pseudorandom function that was used in step 21 0 
is used again with the same key Kg to operate on data 
string "T" to produce an "n" bit string. In step 218, the 

5 "n" bit output from step 21 6 is summed modular "n n , with 
"n" bit string "S". In step 220 the "n" bit output from step 
218 is stored as "n" bit string "V" and "n" bit string T is 
once again stored as string T. In step 222, the same 
square hashing function that was used in step 204 is 

10 used with key K 3 to operate on data string "V to produce 
an "n" bit output. In step 224, the output of step 222 is 
summed modular "n", with "n" bit string T\ In step 226 
the output of step 224 is stored as "n" bit string "W" and 
"n M bit string U V B is once again stored as "n" bit string "V°. 

is In step 228 the data strings "V and "W" are used as a 
"2n" bit output that is an encrypted representation of the 
input block or string. 

[0012] FIG. 4 illustrates the decryption or decipher 
method associated with the encryption or cipher method 

20 illustrated in FIG. 3. In step 240 the "2n" bit input to be 
decrypted is inputted. In step 242 the "2n" bits input is 
broken into strings or blocks "V" and "W, each consist- 
ing of "n" bits. In step 244, the "n* bit string "V" is used 
as an operand of the square hashing function described 

25 by Equation (2) with key K 3 . Step 244 produces an "n" 
bit output used by step 246 which subtracts the output 
of step 244 from string "W° using a modular "n" opera- 
tion. In step 248, the output of step 246 is stored as "n" 
bit string T and the "n" bit string "V" is once again 

30 stored as string "V". In step 250, the same pseudoran- 
dom function that was used in the encryption process is 
used with key Kg to operated on string T to produce 
an "n" bit output. In step 252, the output from step 250 
is subtracted from data string "V" using a modular "n" 

35 operation to produce an "n" bit output. In step 254 the 
output of step 252 is stored in "n" bit strings "S" and °n" 
bit string "T is once again stored as string T\ In step 
256 the same pseudorandom function with the same 
key as step 250 operates on string "S" to produce an "n" 

40 bit output. In step 258 the output of step 256 is subtract- 
ed from string T" using a modular "n" operation to pro- 
duce an "n" bit string. In step 260 the "n" bit string from 
step 258 is stored as "n" bit string "R" and "n" bit string 
"S" is once again stored as string "S". In step 262 the 

45 square hashing function described by Equation (2) is 
used with key to operate on data string "R" to produce 
an °n"-bit output. In step 264 the "n" bit output from step 
262 is subtracted from data string "S" using a modular 
"n" operation. In step 266 the w n M bit output from step 

so 264 is stored as "n" bit string "L" and "n" bits string "R" 
is once again stored as string "R\ In step 268 "n" bit 
string "L" and "R" are outputted as a "2n" bit block cor- 
responding to the decrypted form of the inputted block 
or string. It should be noted that it is also possible to 

55 replace the hash functions of steps 204 and 222 of Fig. 
3 , and steps 244 and 262 of Fig. 4 with other hash func- 
tions. It should be noted that the hash functions used in 
steps 204 and 262 should be the same, and hash func- 
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tions used in steps 222 and 244 should be the same. It 
is also possible to use different keys or pseudorandom 
functions for the pseudorandom functions of steps 210 
and 216 of Fig 3, and different keys or pseudorandom 
functions for the pseudorandom functions of steps 250 
and 256 of Fig. 4. It should be noted that the keys and 
pseudorandom functions used in steps 216 and 250 
should be the same, and the keys and pseudorandom 
functions used in steps 210 and 256 should be the 
same. 

[0013] In one embodiment of the present invention, 
the number of bits B n" is equal to 160. As a result, the 
keys K 1 and K 3 used by the square hashing function are 
each 160 bits long. Additionally, the pseudorandom 
SHA function uses 2 keys. The first key is 1 60 bits long 
and the second key is 352 bits long. The SHA function 
is a cryptographic hash function that reduces 512 bits 
to 160 bits. The operand of the SHA function, as illus- 
trated in Equation (3), is the concatenation of key ^ and 
data block "B", where the data block °B n is the "n" bit 
block or string that was used as an operand of the pseu- 
dorandom functions discussed in FIGS. 3 and 4. 

f K2 = SHA(K 4 ,((K 2t B)) (3) 

[001 4] The key K 4 is 1 60 bits long and is a secret value 
shared by the user encrypting the data and the user that 
will decrypt the data. 

[0015] The keys are generated using an initial pseu- 
dorandom number known to both the user encrypting 
the data and the user decrypting the data. FIGS. 5-8 il- 
lustrate the process used to develop keys K 1 through K 4 
using the initial seed S 0 . FIG. 5 illustrates an overview 
of the process for developing the keys. Seed S 0 , public 
constant PC and public key PK are fed to pseudoran- 
dom function SHA (secure hash function). 

Sf = SHA ( PK t ( PC , S, ^ )) for M -1 1 (4) 

[001 6] In step 302 the SHA function which is illustrat- 
ed by Equation (4) is performed in an interactive fashion 
to produce the values S 1 through S ni . Each of the values 
St through S 1V are 160 bits long. In step 304, the values 
S-, through S 1V are fed to polynomial calculation 306. 

X,s(AS,+ B)mod 0 for/=1-11 (5) 

Where Q is an irreducable polynomial of degree 160. 
[0017] In step 306, Equation (5) is executed to pro- 
duce the values X n through X u where each value con- 
tains 1 60 bits. Equation (5) illustrates a polynomial mul- 
tiplication followed by a polynomial addition where the 
operand Sj correspond to the outputs Sj from Equation 
(4). The polynomials "A" and °B" are any two random 



binary polynomials in one variable of 1 60 bits. Equation 
(5) is executed for each value of S t to produce values 
X n through X 1V Each value Xj is 320 initially bits long 
and is reduced to 1 60 bits using a binary irreducible pol- 

5 ynomial. Polynomial arithmetic and irreducible polyno- 
mials are well known in the art and are discussed in ref- 
erences such as "Mathematics for Computer Algebra" 
by Maurice Mignotte, 1 991 , Springer-Verlag, New York. 
In step 31 0, the 76 least significant bits (LSBs) of strings 

io X-, through X 10 and the 72 LSBs of X^ are used to create 
a collection of 832 bits. The 832 bits developed in step 
310 correspond to keys Kj through K 4 . 
[0018] FIGS. 6 and 7 illustrates the way in which the 
operand of the SHA function are developed. It should 

is be recalled that the SHA function uses a 1 60 bit key and 
a 51 2 bit operand to produce a 1 60 bit output. The SHA 
function uses the 160 bit key to hash or reduce the 512 
bit operand to a 160 bit output. FIG. 6 shows that string 
S 1 is produced by using the 1 60 bit public key PK as the 

20 key for the SHA function and by using a concatenation 
of the seed S 0 and a portion of public constant PC as 
the operand of the SHA function. Typically, seed S 0 may 
contain anywhere from 40 to 512 bits, and the operand 
of the SHA function requires 51 2 bits. As a result, the 

25 LSBs of public constant PC are used to provide the nec- 
essary bits to produce a 512 bit operand for the SHA 
function when S 0 is less than 512 bits. For example, if 
seed S 0 has "x" bits, the 51 2-"x" least significant bits of 
public constant PC are concatenated with the bits of S 0 . 

30 The bits of S 0 are used as the least significant bits of the 
512 bit operand for the SHA function. The operation il- 
lustrated in FIG. 6 produces the string S n which has 160 
bits. FIG. 7 illustrates the process for developing the re- 
maining Sj where V = 2 through 11. Once again, the 

35 SHA function requires a 1 60 bit key and a 51 2 bit string 
that will be reduced. The public key PK is used as the 
160 bit key for the SHA function of FIG. 7 and the 512 
bit string to be reduced is a concatenation of the prior 
160 bit string S M and the 352 LSBs of public constant 

40 PC. It should be noted that since S- M provides 1 60 bits, 
352 least significant bits are required from public con- 
stant PC to produce a total of 51 2 bits for the SHA func- 
tion. The 160 bits corresponding to S M are used as the 
LSBs of the string to be hashed and the 352 LSBs from 
public constant PC are used as the most significant bits 
of the string to be hashed. 

[0019] Recalling FIG. 5, after strings through S n 
are produced they are each used as an operand to the 
polynomial operation defined by Equation (5) to produce 

so strings Xj through X u where each string is 160 bits long. 
FIG. 8 illustrates how the collection of strings X, through 
X^ are used to produce an 832 bit string that corre- 
sponds to keys K 1 through K 4 . The least significant 76 
bits of strings X-, through X 10 and least significant 72 bits 

55 of string X^ are concatenated to produce the 832 bits 
that are used to produce keys K t through K 4 . The least 
significant bits of the 832 bit string are the least signifi- 
cant 76 bits of string X 1 which are then followed by the 
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least significant 76 bits of string X2 and so on until the 
832 bit string is completed by using the least significant 
72 bits of string X 1V The resulting 832 bit string is then 
broken into keys K 1 through K 4 where the least signifi- 
cant 160 bits correspond to key K 1f the next 352 bits 
correspond to key K2, the following 1 60 bits correspond 
to key K 3 and the final 1 60 bits correspond to key K 4 . 



Claims 

1 . A method of encrypting a first n bit string and a sec- 
ond n bit string, comprising the steps of: 

performing a square hash of the first n bit string 
using a first key to produce a first hash result; 
modulo n summing the first hash result and the 
second n bit string to produce a first sum; 
using the first sum as an operand of a pseudo 
random function with a second key to produce 
a first pseudo random result; 
modulo n summing the first pseudo random re- 
sult and the first n bit string to produce a second 
sum; 

using the second sum as an operand of the 
pseudo random function with the second key to 
produce a second pseudo random result; 
modulo n summing the second pseudo random 
result and the first sum to produce a third sum; 
performing the square hash of the third sum us- 
ing a fourth key to produce a second hash re- 
sult; 

modulo n summing the second sum and the 
second hash result to produce a fourth sum; 
and 

using the fourth sum and third sum as encrypt- 
ed representations of the first n bit string and 
the second n bit string. 

2. The method of claim 1, wherein the second and 
third keys are equal. 

3. The method of claim 1 , wherein the pseudo random 
function is a SHA pseudo random function. 

4. The method of claim 3, wherein the second and 
third keys are equal. 

5. A method of encrypting a first n bit string and a sec- 
ond n bit string, comprising the steps of: 

using a first hash function to perform a hash of 
the first n bit string using a first key to produce 
a first hash result; 

modulo n summing the first hash result and the 
second n bit string to produce a first sum; 
using the first sum as an operand of a pseudo 
random function with a second key to produce 



a first pseudo random result; 
modulo n summing the first pseudo random re- 
sult and the first n bit string to produce a second 
sum; 

5 using the second sum as an operand of the 

pseudo random function with a third key to pro- 
duce a second pseudo random result; 
modulo n summing the second pseudo random 
result and the first sum to produce a third sum; 

10 using a second hash function to perform a hash 

of the third sum using a fourth key to produce 
a second hash result; 

modulo n summing the second sum and the 
second hash result to produce a fourth sum; 
*5 and 

using the fourth sum and third sum as encrypt- 
ed representations of the first n bit string and 
the second n bit string. 

20 6. The method of claim 5, wherein the first and second 
hash functions are the same. 

7. The method of claim 5, wherein the pseudo random 
function is a SHA pseudo random function. 

25 

8. A method of encrypting a first n bit string and a sec- 
ond n bit string, comprising the steps of: 

performing a square hash of the first n bit string 
30 using a first key to produce a first hash result; 

modulo n summing the first hash result and the 
second n bit string to produce a first sum; 
using the first sum as an operand of a first pseu- 
do random function with a second key to pro- 
35 duce a first pseudo random result; 

modulo n summing the first pseudo random re- 
sult and the first n bit string to produce a second 
sum; 

using the second sum as an operand of a sec- 
40 ond pseudo random function with a third key to 

produce a second pseudo random result; 
modulo n summing the second pseudo random 
result and the first sum to produce a third sum; 
performing the square hash of the third sum us- 
45 ing a fourth key to produce a second hash re- 

sult; 

modulo n summing the second sum and the 
second hash result to produce a fourth sum; 
and 

so using the fourth sum and third sum as encrypt- 

ed representations of the first n bit string and 
the second n bit string. 
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FIG. 4 
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